[Update] Google knows where you've been and they might be holding your encryption keys

On the heels of other disturbing stories about Google and privacy and security issues, blogger Donovan Colbert discovered another problem with info that his Android device shares with Google. [Updated post]

After waiting in disappointment after missing the original rush for the ASUS Eee PC Transformer Android-based tablet, last night I finally got my hands on it and the keyboard dock that converts the device into an Android netbook. My iPad and my Lenovo S10 are both quaking in fear right now, and they probably should be. I'm still learning about this device, and actually I'm writing this document on the Eee Pad using the bundled Polaris Office application - so this article won't be a review of my experience with the device. Instead, this will be about an interesting thing I discovered about Android OS that increases my growing concern and discontent with this new era of personal digital devices and the companies that sit behind their emerging place in our lives.

I purchased the machine late last night after work. I brought it home, set it up to charge overnight, and went to bed. This morning when I woke I put it in my bag and brought it to the office with me. I set up my Google account on the device, and then realized I had no network connection. My first response was to connect to our corporate public network connection - but we just moved offices and I did not know the WPA2 key off the top of my head. Instead, I pulled out my Virgin Mobile Mi-Fi 2200 personal hotspot and turned it on. I searched around Honeycomb looking for the control panel to select the hotspot and enter the encryption key. To my surprise, I found that the Eee Pad had already found the Virgin hotspot, and successfully attached to it. I literally questioned myself, wondering if I had simply already attached to the hotspot from the Eee Pad and forgotten about it. But that was not the case.

As I looked further into this puzzling situation, I noticed that not only was my Virgin Hotspot discovered and attached, but a list of other hotspots, including the hotspot at my campground (a 45-minute drive away) were also listed in the Eee Pad's hotspot list. The only conclusion that one can draw from this is obvious - Google is storing not only a list of what hotspots you have visited, but any private encryption keys necessary to connect to those hotspots in the cloud.

Beyond the obvious personal privacy issues this raises, there are other concerns that might not be as readily apparent. One might argue that if you use an Android product and Google services, you implicitly consent to this "feature" of the Android OS platform. But many of the Wi-Fi access points we access are not our own, and frequently there are specific terms of service associated with these APs; generally, that we will not disclose the encryption keys for these APs to third parties. This is a reasonable and obvious security policy, but clearly Google doesn't care about the ToS policies on shared public hotspots protected by encryption.

As far as I can tell, there is no clear and easy way for Android end-users to "opt out" of sending their access points to Google for storage on the cloud and synchronization to other Android devices the user may own. If this is the case, Google gives the Android device user two choices: do not access public encrypted wireless access points or violate their terms of service by sharing those access keys with Google. The obvious response that I would expect third party public encrypted hotspot owners to adopt is to specifically prohibit subscribers from accessing those APs via Android devices. As noted, my corporate office has a public, protected wireless access point. The idea that every Android device that connects with that access point shares our private corporate access key with Google is pretty unacceptable. The frustrating thing is that this isn't just something I would have to make a policy for visitors, but even our own employees with Android devices should be prohibited from accessing our public Wi-Fi AP. Unfortunately, this includes me.

In a recent blog for TRoL I suggested that our future under the corporate rule of Facebook, Google, and Apple might make the darkest days of the Microsoft Empire look pretty benevolent and progressive — as more and more information like this is exposed about how Google and Facebook regard personal privacy issues. I think it illustrates that my concern is relatively well founded. This isn't just a trivial concern. The fact that my company can easily lose control of their own proprietary WPA2 encryption keys just by allowing a user with an Android device to use our wireless network is significant. It illustrates a basic lack of understanding on the ethics of dealing with sensitive corporate and personal data on the behalf of the engineers, programmers and leadership at Google. Honestly, if there is any data that shouldn't be harvested, stored and synched automatically between devices, it is encryption keys, passcodes and passwords. It makes you wonder what other information Google might be harvesting and storing to "add value" to your "Google Experience".

Because — make no mistake about it, that is the spin that Google would put on this "feature". And, it is convenient - especially for the consumer who doesn't know better and would willingly sacrifice their personal privacy for a little convenience that makes them have to think less about their personal technology. That is the thing that I may be the most troubled by. I'd argue that many of the biggest abuses that Redmond was guilty of in cutting corners were achieved with the complicit assistance of the consumers. They willingly traded in reliability and security for convenience. It seems that Google was paying attention to Redmond's playbook in this regard. I doubt many consumers will see the problem with the implications of what is going on here - but it is clear to me, and I'm certain that I don't like it.

What do you think? Is this an innocent, excusable mistake? Is Google a company that only has the best interests of the consumers at heart? Are we making too much out of this, or has Google crossed the boundaries of reasonable behavior? If anyone can confirm or refute the results I've encountered here, I am also interested in hearing your experiences.

For the record, my experience as described was with an Acer Eee Pad Transformer I purchased last night. I haven't confirmed the experience and never noted it before on any of my other Android devices. Is this a Honeycomb "feature"? An Eee Pad feature? If anyone has any additional information, feel free to contribute to the discussion in the forum.

*Update to original post:

As pointed out by several readers including Tech Republic reader danmcgee - you can opt-out of the behavior in Android. It seems that many, if not all Android devices are configured to back up settings by default and the disclosure of what information is backed up varies from device to device and by version of Android.

If the option is available on your device, you will find it in the Settings\Privacy menu. Unchecking "Back Up My Data" will disable this feature. Please note that this is not granular; you either opt-in and back up all of your data including hotspot names and keys, or you opt-out and back up nothing. On my Droid 2, this option simply states, "Back up my data - Back up my settings and other application data". When disabled it brings up a dialog "Backup! Are you sure you want to stop backing up your settings and application data and erase all copies on Google servers". When you hit "OK" there is no further dialog. When you re-enable this option, there are no additional dialogs informing you that your Wi-Fi keys are being backed up. The video below illustrates exactly what I see with my Droid 2:

About Donovan Colbert

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his profession...

Full Bio

Donovan Colbert has over 16 years of experience in the IT Industry. He's worked in help-desk, enterprise software support, systems administration and engineering, IT management, and is a regular contributor for TechRepublic. Currently, his professional role is as a Linux support engineer for a fast-growing Linux/FOSS consultancy group. You can follow him @dcolbert on Twitter or his personal blog, located at http://donovancolbert.blogspot.com.